1 / 39

Reinventing Remote Access With DirectAccess

Reinventing Remote Access With DirectAccess. Scott Roberts Lead Program Manager Microsoft Session Code: WSV320 . Agenda. Secure Access Landscape Demo DirectAccess Solution Benefits Deployment Models & Requirements Name Resolution Supporting Technologies Diagnostics

oshin
Download Presentation

Reinventing Remote Access With DirectAccess

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reinventing Remote Access With DirectAccess Scott Roberts Lead Program Manager Microsoft Session Code: WSV320

  2. Agenda • Secure Access Landscape • Demo • DirectAccess Solution • Benefits • Deployment Models & Requirements • Name Resolution • Supporting Technologies • Diagnostics • Questions & Answers

  3. Mobile Workforce Increasingly Porous Perimeter • Mobile Data • Globalization

  4. "Re-Perimeterization" “My network is where my buildings are” • How to manage, monitor, and support remote users/machines all the time? • How to simplify remote workers’ access “My network is where my users and assets are”

  5. Industry Trends Assume the underlying network is always unsecure Redefine the corporate edge to protect the datacenter Enterprise Network Security policies based on identity, not location DirectAccess Server Internet Data Center and Business Critical Resources Local User Remote User

  6. Windows Server 2008 R2 Addressing Enterprise Needs • Work Anywhere Infrastructure using Direct Access

  7. DirectAccess • Providing seamless, secure access to enterprise resources from anywhere

  8. demo DirectAccess in Action

  9. Benefits Of Direct AccessBringing the corporate network to the user More productive More secure More manageable and cost effective Always-on access to corpnet while roaming No explicit user action required – it just works Same user experience on premise and off • Simplified remote management of mobile resources as if they were on the LAN • Lower total cost of ownership (TCO) with an “always managed” infrastructure • Unified secure access across all scenarios and networks • Integrated administration of all connectivity mechanisms • Healthy, trustable host regardless of network • Fine grain per app/server policy control • Richer policy control near assets • Ability to extend regulatory compliance to roaming assets • Incremental deployment path toward IPv6

  10. Always On • Always connected • No user action required • Adapts to changing networks

  11. Secure • Encrypted by default • Works with Smartcards • Granular access control • Coexists with existing edge, health, and access policies

  12. Manageable • Reach out to previously untouchable machines • Allows remote clients to process Group Policies • NAP integration for health compliance • Consolidate Edge Infrastructure

  13. VPN vs. DirectAccess - Value

  14. Internet DirectAccess Client (Windows 7) DirectAccess Server (Server 2008 R2) Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 Encrypted IPsec+ESP IPsec Gateway 6to4 Teredo IP-HTTPS IPsec Hardware Offload Supported

  15. Enabling IPv6 in the Enterprise Option 1 - ISATAP DirectAccess Server (Server 2008 R2) Line of Business Applications IPv6 IPv6 IPv4 Windows Server 2008/R2

  16. Enabling IPv6 in the Enterprise Option 2 – NAT-PT DirectAccess Server (Server 2008 R2) Line of Business Applications Windows Server 2003 Non-Windows NAT-PT DNS-ALG IPv6 IPv4

  17. Enterprise Network DirectAccess Server (Server 2008 R2) Line of Business Applications No IPsec IPsec Integrity Only (Auth) Windows Server 2003 Windows Server 2008 Non-Windows Server IPsec Integrity + Encryption IPsec Gateway IPsec Hardware Offload Supported

  18. Deployment Models

  19. Deployment ScenarioEnd-to-edge encryption Corporate Network Trusted, compliant, healthy machine Direct Access ServerServer 2008 R2 • No overhead of encryption on application servers • Edge enforces machine/user authentication and data encryption • Least change from customer’s existing edge deployments DC & DNS(Server 2008 SP2/R2) Windows 7 client Applications & Data (non-IPsec enabled) IPsec ESP tunnel encryption using machine cert (DC/DNS access) Internet IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access Clear Text traffic from client flows through encrypted tunnel to Corporate network resources

  20. Deployment ScenarioEnd-to-Edge Encryption + End to End IPsec • No overhead of encryption on application servers (just authentication) • DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation Corporate Network Direct Access ServerServer 2008 R2 Trusted, compliant, healthy machine DC & DNS(Server 2008 SP2/R2) Windows 7 client IPsec ESP tunnel encryption using machine cert (DC/DNS access) Applications & Data IPsec-enabled Internet IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources

  21. Deployment ScenarioEnd-To-End IPsec Transport Encryption • Thin edge solution using IPsec • Denial of Service Protection (DoSP) Service only allows Ipsec & ICMP traffic • Full End to End IPsec Encryption • IP-HTTPS tunnel used for proxy scenarios only Corporate Network Direct Access ServerServer 2008 R2 Trusted, compliant, healthy machine DC & DNS(Server 2008 SP2/R2) Internet Windows 7 client Applications & Data IPsec-enabled IPsec ESP-encrypted transport to access Corporate network resources

  22. Deployment Requirements

  23. Deployment Requirements

  24. Name Resolution

  25. Name Resolution Policy Table (NRPT) • New feature in Windows 7 • Used by DirectAccess Client to determine ‘which’ DNS Server to use based on namespace • New name resolution order: • Local cache • Hosts file • NRPT • DNS

  26. NRPT • For any given query, if the domain matches an entry in the NRPT, the query will be sent to the DNS Servers specified in the NRPT • These are internal DNS servers – they do not need to be dedicated to DirectAccess, and they do not need to be in the DMZ • If the name doesn't match an NRPT entry, the query will be sent to the DNS server configured for the interface

  27. Supporting Technologies

  28. Direct Access Supporting Technologies Corporate Network Trusted, compliant, healthy machine DC & DNS(Server 2008 R2) Applications & Data Windows 7 client Forefront UAG IAG SP2 NAP (includes Server & Domain Isolation [SDI]) Forefront Client Security Windows Firewall BitLocker + Trusted Platform Module (TPM)

  29. Direct Access Supporting Technologies Internet Forefront Client Security Non- Compliant Client Compliant Client Compliant Client NAP / NPS Servers IPsec/IPv6 Unmanaged Client IPsec/IPv6 DA Server CORPNET User Data Center and Business Critical Resources IAG SP2 CORPNET User CORPNETCompliant Network

  30. 7 Direct Access + UAG extends the benefits of Windows Direct Access enabling an easy migration path and enhanced scalability.

  31. DirectAccess – Solution UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Always On DirectAccess Windows7 UNMANAGED IPv4 VistaXP Extend support to IPv4 servers SSL VPN DirectAccessServer IPv4 Non Windows + + PDA IPv4 UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG improves adoption and extends access to existing infrastructure UAG is a hardened edge appliance available in HW and virtual options UAG uses wizards and tools to simplify deployments and ongoing management.

  32. Diagnostics

  33. Diagnostics • Internet Explorer Diagnose Problem Button • It has been enhanced to troubleshoot DirectAccess • Networking Icon (right click) • Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point • Control Panel, Troubleshooting • Connect to a Workplace place using DirectAccess • Command Prompt (Elevated) • NETSH TRACE START SCENARIO=DIRECTACCESS

  34. Windows 7 Builds on Windows VistaDeployment, testing, and pilots today will continue to pay off • Similar Compatibility: • Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc). • Hardware that runs Windows Vista well will run Windows 7 well. Few Changes: Focus on quality and reliability improvements Deep Changes: New models for security, drivers, deployment, and networking

  35. SummaryCall-to-action • Windows Server 2008 R2 offers great innovation for your Anywhere Access infrastructure • Learn more about Direct Access • Start deploying Windows Server 2008 now to get ready • http://www.microsoft.com/directaccess

  36. Resources • www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources • http://microsoft.com/technet • Resources for IT Professionals • http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources

  37. Complete an evaluation on CommNet and enter to win!

  38. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related